Meta’s $499 virtual reality headsets are vulnerable to “Inception-style” hacking attacks that allow offenders to gain control of the headsets and steal sensitive information without the user being aware of it, according to a study.
Computer science researchers at the University of Chicago published an academic paper last week in which they described how they were able to exploit a flaw in the Meta Quest VR’s security system to execute the sophisticated attack.
The researchers created a malicious app that installs code into the VR system which then creates a replica home screen and apps that appear identical to the original screen, according to MIT Technology Review, which first obtained the study.
The attack is compared by the researchers to the plot line of the hit 2010 sci-fi action thriller “Inception,” where Leonardo DiCaprio plays a thief who steals information by infiltrating the subconscious minds of his victims.
Once the malicious code was installed, hackers are able to see, record and manipulate any action that the user can execute with the headset.
The hackers can effectively take control of key functions such as voice, gestures, keystrokes and browsing activities.
“While the user thinks they are interacting normally with different VR applications, they are in fact interacting within a simulated world, where everything they see and hear has been intercepted, relayed, and possibly altered by the attacker,” the researchers wrote in the study.
That means a VR user who is chatting with a friend can have their messages intercepted and manipulated based on the hacker’s wishes without either of the chat participants knowing about it, according to the researchers.
In another instance, hackers were able to see when a user entered their login credentials to their bank account. They were then able to manipulate the screen in order to manipulate the bank balance so that it shows an incorrect number.
In the experiment, a VR headset user who tried to pay someone $1 through the headset ended up paying $5 without the user realizing it because the researchers were able to change the amount transferred.
The researchers said that the attack can only take place when the hackers are using the same WiFi network as their target.
The users of the headset are vulnerable to attack if they have their device on “developer mode” which allows them to download third-party apps.
The experts recommend that those who buy a headset defend themselves by restoring the device to factory settings, which would remove the malicious app.
“We constantly work with academic researchers as part of our bug bounty program and other initiatives,” a Meta spokesperson told MIT Technology Review.
Meta’s VR headset is part of its multi-billion dollar investment in the metaverse — a virtual, three-dimensional world where avatars interact with one another.
In October, Meta debuted the Quest 3 headset, but the company’s Reality Labs, the division that developed the device, recorded an operating loss of more than $4.6 billion in the fourth quarter of 2023.
The company has said that it expects Reality Labs’ losses to “increase meaningfully year-over-year” due to its AR and VR product development and “investments to further scale our ecosystem.”
Meta didn’t immediately respond to requests for comment.
Source